The PCI DSS is an important global security standard that’s been helping to safeguard retailers and their customers for over a decade. Covering all channels – online, in-store, mobile or MOTO – it ensures that the right controls are in place to safely store, transmit and process customers’ sensitive payment data.
Failing to comply can expose merchants to extra card charges and potential fines and make them easier prey for fraudsters.
Unsurprisingly, most European businesses are now either PCI compliant, or in the process of gaining compliance. Smart merchants will have managed to reduce their scope, using PCI point to point encryption (P2PE) and tokenization, or have successfully shifted the responsibility to others by outsourcing to a PCI approved ‘payments as a service’ provider.
PCI Compliance is more than a box tick
For many merchants, however, there’s still lots of confusion about what PCI compliance means for their business and what they have to do in order to ensure their systems remain secure.
Often approached as an annual ‘box-ticking’ exercise, PCI compliance can become a huge and onerous task, causing disruption and a drain on resources. Unread documentation, poor systems and bad implementation can lead to a frenzy of activity when the audit is due or QSA representatives are expected.
PCI compliance is not a once a year activity. It has to be a living breathing part of daily/weekly/monthly operations and actions, which are not only adopted but monitored and updated regularly (not just prior to a PCI audit).
Everyone involved in maintaining the data chain needs to understand their role, their actions and their reporting process. And checks must be in place to make sure that they adhere to them.
Making it easier
Automation can take much of the pain out of managing this process – as does reducing scope using PCI P2PE and tokenization. Software tools can help monitor, analyze, record and event-flag systems, and control information flows and access. Just like people, these tools need TLC and may need to be configured and tweaked on an on-going basis, as threats evolve, and standards tighten.
Some merchants may even choose to outsource eCommerce, using end-to-end solutions to remove their IT and compliance burden by shifting responsibility to the provider. In this case, they must make sure their payments partners are PCI compliant and seek assurance that they are monitoring and maintaining their payment environment effectively.
Keeping security front of mind
It goes without saying that being PCI compliant (or out of scope) doesn’t make a merchant invincible. Additional anti-fraud solutions and security processes may be required to keep data protected. It’s always a good idea to undergo regular vulnerability scans to spot any issues before they become a problem.
At the end of the day, the PCI DSS is not fixed but is constantly evolving – as are security threats and vulnerabilities. PCI compliance is not a destination, it’s a journey. Retailers should understand this and work with their internal teams and external solution providers and partners to make sure their payment systems are constantly up to standard.